Two questions in one. A php file was recently introduced in the root directory of my Wordpress installation (a domain installation). It didn't disturb my website but was apparently using the domain address to propagate ads.

1) How can someone paste a file into my root directory? How to stop that from happening again?

Sucuri doesn't detect anything at the moment: my host was helpful, they ran some scan and point me in the right direction. I manually removed the dubious file. I actually knew I got hacked. But what about my two questions (they remain unanswered): 1) How can someone access the root folder of my installation; 2) What’s this code can be used for?
–
ParneixMar 13 '12 at 2:32

"How can someone access the root folder of my installation?" Your host is insecure. "What does the code do?" Try any of the online php decoders to decode it.
–
songdogtechMar 13 '12 at 3:05

My host is on your list of recommended Wordpress Web Hosting. I'll write to them to try to get more info. And thanks for the suggestion about php decoders.
–
ParneixMar 13 '12 at 3:09